What is the purpose of RBAC in Kubernetes?
RBAC is used to control what actions a user or service account can perform on specific resources in the cluster.
What Kubernetes object is used to define a set of permissions for a namespace?
A Role object defines a set of permissions within a namespace.
What three fields are used inside each RBAC rule?
Each RBAC rule is built from apiGroups resources and verbs.
How do you specify the core API group in a Role rule?
For core resources such as pods you leave the apiGroups field empty.
In the lecture example what resources and actions were given to the developer role?
The developer role was allowed to work with pods using verbs such as get list create and delete and was also allowed to create ConfigMaps.
What object connects a user to a Role in Kubernetes RBAC?
A RoleBinding connects a user group or service account to a Role.
What are the two main sections inside a RoleBinding spec?
A RoleBinding mainly uses subjects to define who gets access and roleRef to define which Role is being granted.
Are Roles and RoleBindings namespaced or cluster scoped?
Roles and RoleBindings are namespaced objects and their permissions apply only within that namespace.
How do you give a user access in a different namespace?
You create the Role and RoleBinding in that target namespace instead of the default namespace.
Which command lets you check whether your current identity can perform an action?
kubectl auth can-i lets you test whether an action is allowed.
How can an administrator test another users permissions without logging in as that user?
An administrator can use kubectl auth can-i with the –as option to impersonate that user.
How can you test whether a user can perform an action in a specific namespace?
Use kubectl auth can-i with the action and resource plus the namespace option such as -n.
What does the resourceNames field in an RBAC rule let you do?
The resourceNames field lets you restrict access to specific named resources instead of all resources of that type.
In the lecture example how could resourceNames be used for pods?
It could be used to allow access only to specific pods such as blue and orange instead of every pod in the namespace.
What is a very important CKAD distinction related to Roles that is useful to remember even beyond this lecture?
Role and RoleBinding are namespaced while ClusterRole and ClusterRoleBinding are used for cluster wide permissions.
-
Kubernetes Resource Lecture51
-
Service Account40
-
Taints and Tolerations27
-
Node Selectors20
-
Node Affinity24
-
Multi-containers Design Pattern Lecture21
-
Misc (Cards that don't belong to a specific deck)4
-
Readiness and Liveness Probes28
-
Metrics23
-
Rolling Updates and Rollbacks29
-
Updating a deployment23
-
Canary Deployment Strategy4
-
Jobs23
-
CronJobs8
-
Network Policies23
-
Ingress Policies33
-
Volume Types11
-
Persistent Volumes5
-
Persistent Volume Claims14
-
Authentication5
-
Security - Kubeconfig12
-
Kubernetes API21
-
Authorization21
-
RBAC15
-
Cluster Roles16
-
Admission Controllers16
-
API Versions15
-
API Deprecations18
-
Custom Resource20
-
Helm Intro15
-
Helm Concepts22
-
Kustomize Intro15
-
Kustomize vs Helm15
-
Kustomize Transformers16
